The GDPR introduced six data protection principles (listed below) which businesses must comply with when processing personal data. Businesses should also be able to demonstrate compliance through good data governance.
Data Protection Principles Under the GDPR
- Businesses must process personal data fairly and in a transparent manner.
- Businesses must collect personal data only for one or more specified, explicit and legitimate purposes.
- Businesses must ensure personal data is adequate, relevant and limited to what is necessary.
- Businesses must ensure personal data is accurate and kept up-to-date.
- Businesses shall not keep personal data for longer than is necessary.
- Businesses must “ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
What do the Principles Really Mean?
Unless a business complies with the six principles when it processes an individual’s personal data, then the business will not be complying with the GDPR. However, the GDPR contains a lot more detail besides these six principles, and simply complying with these principles will not be enough on its own to demonstrate compliance with the GDPR.
What are the Significant Changes Brought in by the GDPR?
The GPDR requires businesses to process data “in a transparent manner”, so businesses will be expected to deal openly with any individuals with whom they interact.
Transparency is a key theme throughout the GDPR. When collecting data from individuals, businesses must explicitly state the purpose for which that data is being collected. Simply alluding to one or more potential purposes is not enough – the GDPR requires businesses to be explicit in listing those purposes and, if a purpose isn’t on the list, then the data cannot be used for this.
What Effect has this had on UK Businesses?
Businesses are expected to provide individuals with more information than previously provided, particularly around the purposes for which those individuals’ data is being collected. This is covered in more detail in the section on Privacy notices.
Businesses must refer back to the six GDPR principles in everything they do. Simply complying with these six principles will not, on its own, guarantee compliance with the GDPR, but a failure to comply with any one of these principles will result in a certain breach of the GDPR. Keeping records demonstrating good data governance has become even more important.
What Does my Business Need to Do?
Hopefully, you carried out an audit, updated your processes, and prepared a new privacy policy before the GDPR came into force. If you still don’t have a privacy policy, then that should be your priority.
Ensuring compliance with the principles is a continuing obligation rather than a ‘one off’ so you should be frequently reviewing and updating your internal practices and policies, and ensuring that all staff receive regular training on how they should be handling personal data. It’s important that you instil a culture of good data governance within the business and keep accurate records to evidence how you’re complying with the principles.